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Abstract 

It is commonly agreed that the success of future proof assistants will 
rely on their ability to incorporate computations within deduction in order 
to mimic the mathematician when replacing the proof of a proposition P 
by the proof of an equivalent proposition P' obtained from P thanks to 
possibly complex calculations. 

In this paper, we investigate a new version of the calculus of induc- 
tive constructions which incorporates arbitrary decision procedures into 
deduction via the conversion rule of the calculus. The novelty of the 
problem in the context of the calculus of inductive constructions lies in 
the fact that the computation mechanism varies along proof-checking: 
goals are sent to the decision procedure together with the set of user hy- 
potheses available from the current context. Our main result shows that 
this extension of the calculus of constructions does not compromise its 
main properties: confluence, subject reduction, strong normalization and 
consistency are all preserved. 

Keywords. Calculus of Inductive Constructions, Decision proce- 
dures, Theorem provers 

1 Introduction 

Background. It is commonly agreed that the success of future proof assistants 
will rely on their ability to incorporate computations within deduction in order 
to mimic the mathematician when replacing the proof of a proposition P by 
the proof of an equivalent proposition P' obtained from P thanks to possibly 
complex calculations. 

Proof assistants based on the Curry-Howard isomorphism such as Coq [5] 
allow to build the proof of a proposition by applying appropriate proof tactics 
generating a proof term that can be checked with respect to the rules of logic. 
The proof-checker, also called the kernel of the proof assistant, implements 
the inference and deduction rules of the logic on top of a term manipulation 
layer. Trusting the kernel is vital since the mathematical correctness of a proof 
development relies entirely on the kernel. 

1 LORIA, UMR 7503 CNRS-INPL-INRIA-Nancy2-UHP, Equipc Protheo, Campus Scien- 
tifiquc, BP 239, 54506 Vandoeuvre-les-Nancy Cedex, blanqui01oria.fr 

2 Projet LogiCal (Pole Commun de Recherche en Informatique du Plateau de Saclay, CNRS, 
Ecole Polytechnique, INRI A, Univ. Paris-Sud.), LIX, UMR CNRS 7161, Ecole Poly technique, 
91128 Plaiseau, FRANCE, {jouannaud, strub}@lix .polytechnique . fr 



The (intuitionist) logic on which Coq is based is the Calculus of Construc- 
tions (CC) of Coquand and Huet [TO], an impredicative type theory incorpo- 
rating polymorphism, dependent types and type constructors. As other logics, 
CC enjoys a computation mechanism called cut-elimination, which is nothing 
but the /3-reduction rule of the underlying A-calculus. But unlike logics without 
dependent types, CC enjoys also a powerful type-checking rule, called conver- 
sion, which incorporates computations within deduction, making decidability of 
type-checking a non-trivial property of the calculus. 

The traditional view that computations coincide with /3-reductions suffers 
several drawbacks. A methodological one is that the user must encode other 
forms of computations as deduction, which is usually done by using appropriate, 
complex tactics. A practical one is that proofs become much larger than neces- 
sary, up to a point that they cannot be type-checked anymore. These questions 
become extremely important when carrying out complex developments involv- 
ing a large amount of computation as the formal proof of the four colour (now 
proof-checked) theorem completed by Gonthier and Werner using Coq [14]. 

The Calculus of Inductive Constructions of Coquand and Paulin was a first 
attempt to solve this problem by introducing inductive types and the associated 
elimination rules [TJJ. The recent versions of Coq are based on a slight gener- 
alization of this calculus [13] • Besides the /3-reduction rule, they also include 
the so-called t-reductions which are recursors for terms and types. While the 
kernel of CC is extremely compact and simple enough to make it easily readable 
-hence trustable-, the kernel of CIC is much larger and quite complex. Trusting 
it would require a formal proof, which was done once [3]. Updating that proof 
for each new release of the system is however unrealistic. CIC does not solve 
our problem, though, since such a simple function as reverse of a dependent list 
cannot be defined in CIC because a :: I and I :: a, assuming :: is list concatena- 
tion and the element a can be coerced to a list of length 1, have non-convertible 
types list[n + 1) and list(l + n). 

A more general attempt was carried out since the early 90's, by adding user- 
defined computations as rewrite rules, resulting in the Calculus of Algebraic 
Constructions [6j. Although conceptually quite powerful, since CAC captures 
CIC [TJ, this paradigm does not yet fulfill all needs, because the set of user- 
defined rewrite rules must satisfy several strong assumptions. No implementa- 
tion of CAC has indeed been released because making type-checking efficient 
would require compiling the user-defined rules, a complex task resulting in a 
kernel too large to be trusted anymore. 

The proof assistant PVS uses a potentially stronger paradigm than Coq by 
combining its deduction mechanism 1 with a notion of computation based on the 
powerful Shostak's method for combining decision procedures |19j . a framework 
dubbed little proof engines by Shankar [18j : the little proof engines are the 
decision procedures, required to be convex, combined by Shostak's algorithm. 
A given decision procedure encodes a fixed set of axioms P. But an important 
advantage of the method is that the relevant assumptions A present in the 
context of the proof are also used by the decision procedure to prove a goal G, 
and become therefore part of the notion of computation. For example, in the 
case where the little proof engines is the congruence closure algorithm, the fixed 

1 PVS logic is not based on Curry-Howard and proof-checking is not even decidable making 
both frameworks very different and difficult to compare. 
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set of axioms P is made of the axioms for equality, A is the set of algebraic 
ground equalities declared in the context, while the goal G is an equality s = t 
between two ground expressions. The congruence closure algorithm will then 
process A and s = t together in order to decide whether or not s = t follows 
from P U A. In the Calculus of Constructions, this proof must be constructed 
by a specific tactic called by the user, which applies the inference rules of CC 
to the axioms in P and the assumptions in A, and becomes then part of the 
proof term being built. Reflexion techniques allow to omit checking this proof 
term by proving the decision procedure itself, but the soundness of the entire 
mechanism cannot be guaranteed [12] . 

Two further steps in the direction of integrating decision procedures into the 
Calculus of Constructions are Stehr's Open Calculus of Constructions OCC [2"U] 
and Oury's Extensional Calculus of Constructions [IB]. Implemented in Maude, 
OCC allows for the use of an arbitrary equational theory in conversion. ECC 
can be seen as a particular case of OCC in which all provable equalities can be 
used in conversion, which can also be achieved by adding the extensionality and 
Streicher's axiom [T5] to CIC, hence the name of this calculus. Unfortunately, 
strong normalization and decidability of type checking are lost in ECC (and 
OCC), which shows that we should look for more restrictive extensions. In 
a preliminary work, we also designed a new, quite restrictive framework, the 
Calculus of Congruent Constructions (CCC), which incorporates the congruence 
closure algorithm in CC's conversion [5], while preserving the good properties 
of the calculus, including the decidability of type checking. 

Problem. The main question investigated in this paper is the incorporation 
of a general mechanism calling a decision procedure for solving conversion-goals 
in the Calculus of Inductive Constructions which uses the relevant information 
available from the current context of the proof. 

Contributions. Our main contribution is the definition and the meta-theoretical 
investigation of the Calculus of Congruent Inductive Constructions (CCIC), 
which incorporates arbitrary first-order theories for which entailment is decid- 
able into deduction via an abstract conversion rule of the calculus. A major 
technical innovation of this work lies in the computation mechanism: goals are 
sent to the decision procedure together with the set of user hypotheses available 
from the current context. Our main result shows that this extension of CIC 
does not compromise its main properties: confluence, strong normalization, co- 
herence and decidability of proof-checking are all preserved. Unlike previous 
calculi, the main difficulty here is confluence, which led to a complex definition 
of conversion as a fixpoint. As a consequence of this definition, decidability of 
type checking becomes itself difficult. 

Finally, we explain why the new system is still trustable, by leaving decision 
procedures out of its kernel, assuming that each procedure delivers a checkable 
certificate which becomes part of the proof. Certificate checkers become them- 
selves part of the kernel, but are usually quite small and efficient and can be 
added one by one, making this approach a good compromise between CIC and 
the aforementioned extensions. 

We assume some familiarity with typed lambda calculi [2] and the Calculus 
of Inductive Constructions. 
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2 The calculus 



For ease of the presentation, we restrict ourselves to CCn, a calculus of construc- 
tions with a type nat of natural numbers generated by its two constructors 
and S and equipped with its weak recursor Rec^. The calculus is also equipped 
with a polymorphic equality symbol = for which we use here a mixfix notation, 
writing t =t u (or even t = u when T is not relevant) instead of = Ttu. 

Let S = {•*-,□, A} the set of CCn sorts. For s e {*,□}, X s denotes a 
countably infinite set of s-sorted variables s.t. X*CiX a = 0. The union X*L)X a 
will be written X. For x 6 X, we write s x the sort of x. Let A = {u, r} a set 
of two constants called annotations, totally ordered by u -<^4 r, where r stands 
for restricted and u for unrestricted. We use a for an arbitrary annotation. 

Definition 2.1 (Pseudo-terms of CCn). We define the pseudo-terms of CCn 
by the grammar rules: 

t, T := x £ X | s € S | nat | = | | S | + | Eq(t) | t u 
X[x : a T]t | V(i : a T). t \ Rec™(t, T){t , t s } 

We use FV(i) for the set of free variables oft. 

Definition 2.2 (Pseudo-contexts of CCn). The typing environments of CCn 
are defined as T, A :— [] \ T, [x : a T] s.t. a variable cannot appear twice. We use 
dom(r) for the domain ofT and xT for the type associated to x in T. 

Remark that in our calculus, assumptions stored in the proof context always 
come along with an annotation used to control whether they can be used (in 
case the annotation is r) or not in a conversion goal. We will later point out 
why this is necessary. 

Definition 2.3 (Syntactic classes). The pairwise disjoint syntactic classes of 
CCn, called objects (O), predicates or types (P), kinds (K,), externs (£) and 
A are defined in Figure]]^ 

This enumeration defines a postfixed successor function +1 on classes (O + 
1 = V, V + 1 = IC, . . . A + 1 =±) . We also define Class(i) =2? if t eV and 
V e {0 : V,JC,£,A} and Class(t) =± otherwise. 

Our typing judgments are classically written r h t : T, meaning that the 
well formed term t is a proof of the proposition T under the assumptions in 
the well-formed environment T. Typing rules are those of CIC restricted to the 
single inductive type of natural numbers, with one exception, [Conv], based on 
an equality relation called conversion defined in section [2. II 

Definition 2.4 (Typing). Typing rules of CCn are defined in Figure® 
2.1 Computation by conversion 

Our calculus has a complex notion of computation reflecting its rich structure 
made of three different ingredients, the typed lambda calculus, the type nat 
with its weak recursor and the Presburger arithmetic. 
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Figure 1: CCn terms classes 



Our typed lambda calculus comes along with the /3-rule. The ?7-rule raises 
known technical difficulties, see 22J. 

The type nat is generated by the two constructors and S whose typing rules 
are given in Figure [21 We use Rec^ for its weak recursor whose typing rule is 
given in Figure[5]as well. Following CIC's tradition, we separate their arguments 
into two groups, using parentheses for the first two, and curly brackets for the 
two branches. The computation rules of nat are given below: 

Definition 2.5 (t-reduction). The L-reduction is defined by the following rewrit- 
ing system: 

Rec^(0, Q){t ,t s } ^ L t 

Rec^ '(St, Q){t Q ,t s } -> t t s t (Rec™ \t,Q){t ,t s }) 
where to,ts £ O. 

These rules are going to be part of the conversion ~r. Of course, we do not 
want to type-check terms at each single step of conversion, we want to type- 
check only the starting two terms forming the equality goal in [Conv]. But 
intermediate terms could then be non-typable and strong normalization be lost. 

The constructors and S, as well as the additional first-order constant + 
are also used to build up expressions in the algebraic world of Presburger arith- 
metic, in which function symbols have arities. We therefore have two different 
possible views of terms of type nat, either as a term of the calculus of inductive 
constructions, or as an algebraic term of Presburger arithmetic. We now de- 
fine precisely this algebraic world and explain in detail how to extract algebraic 
information from arbitrary terms of CCn. 

Let T be the theory of Presburger arithmetic defined on the signature S = 
{0, S(-), -+-} and y a set of variables distinct from X. Note that we syntactically 
distinguish the algebraic symbols from the CCn symbols by using a different font 
(0 and 5* for the algebraic symbols, and S for the constructors). 

We write T N F if F is a valid formula in T, and T, E 1= F for T 1= E =^ F. 

Definition 2.6 (Algebraic terms). The set Alg of CCn algebraic terms is the 
smallest subset of O s.t. i) X* C Alg, ii) e Alg, Hi) Vi <E CCn- St <E Alg, 
iv) Vt, u 6 CC N . t + u e Alg. 
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[Axiom- 11 [Axiom- 21 

1 J h* : □ 1 h □ : A 



[=-Intro] 
[Product 
[Lamda 

[Weak] 



h = :V(T:"*).T^T^* 

r h T : s T T, [x : a T] h U : s v 
rhV(i : a T).U: s v 

r hV(i : a T).U : s T,[x : a T] h u : U 
r h X[x : a T]u : V{x : a T).U 

rhV:s Tht:T s G {★, □} i6Z s - dom(T) 



[Var] 



T, [x : a V] h t : T 
x G dom(r) r h ir : Sj; 

r h x : xr 



rht:V(i: a T\-u:U 

if a = r and U — t\ =t t 2 with t\, t 2 G O 
then t\ *2 must hold 
[APP] Thtu:V{x^u} 

[O-Intro] ■ [S-Intro] 



h : nat h S : nat — ► nat 



[Nat] [+- Intro] — : 

h nat : * h + : nat — > nat — ► nat 

r h tx : T r h t 2 : T 

rhp: V(P : T — > *).Pij -> Pt 2 

[Eq-Intro] — 

T h Eq(p) : ti = T t 2 

T h t : nat r h Q : nat -> * T h / : nat 

rh/ s : V(n : u nat). Qn^Q(Sn) 
[(,-Elim] 7-n 

rhRec^(t,Q){/ ,/s}:Qi 
rht:T r h T' : s' T ~ r T' 

[conv] rTTTr 7 



Figure 2: Typing judgment of CCn 
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Definition 2.7 (Algebraic cap and aliens). Given a relation R on CCn, let 1Z 
be the smallest congruence on CCn containing R, and ttr a function from CCn 
to y U X* such that tlZu ^R.(t) — ttr(u). 

The algebraic cap of t modulo R, c&p R (t), is defined by: 

• cap fl (0) = 0, cap fl (Su) = S(cap R (u)), cap R (u + v) = cap R (u) + cap R (v), 

• otherwise, c&p R (t) — t iftE X* and else ir R (t). 

We call aliens the subterms oft abstracted by a variable in y. 

Observe that a term not headed by an algebraic symbol is abstracted by a 
variable from our new set of variables y in such a way that ^-equivalent terms 
are abstracted by the same variable. 

We can now glue things together to define conversion. 

Definition 2.8 (Conversion relation). The family {^r}r of T -conversions is 
defined by the rules of Figured 

This definition is technically complex. 

Being a congruence, ~r includes congruence rules. However, all these rules 
are not quite congruence rules since crossing a binder increases the current 
context r by the new assumption made inside the scope of the binding construct, 
resulting in a family of congruences. More questions are raised by the three 
different kinds of basic conversions. 

First, includes the rules — >p and — > t of CCn- Unlike the beta rule, — > t 
interacts with first-order rewriting, and therefore the Conv rule of Figure [5] 
cannot be expressed by T ^*p L ^r^*p L T' as one would expect. 

Second, includes the relevant assumptions grabbed from the context, this 
is rule Eq. These assumptions must be of the form [x : r T], with the appropriate 
annotation r, and T must be an equality assumption or otherwise reduce to an 
equality assumption. Note that we use only — >@ here. Using ~r recursively 
instead is indeed an equivalent formulation under our assumptions. Without 
annotations, CCn does not enjoy subject reduction. Generating appropriate 
annotations is discussed in section [5] 

Third, with rule [Ded] , we can also generate new assumptions by using 
Presburger arithmetic. This rule here uses the property that two algebraic 
terms are equivalent in ~r if their caps relative to are equivalent in 
(the converse being false). This is so because the abstraction function 7r^ r 
abstracts equivalent aliens by the same variable taken from y. It is therefore 
the case that deductions on caps made in Presburger arithmetic can be lifted to 
deductions on arbitrary terms via the abstraction function. As a consequence, 
the two definitions of the abstraction function 7r^ r and of the congruence 
are mutually inductive: our conversion relation is defined as a least fixpoint. 

2.2 Two simple examples 

More automation - smaller proofs. We start with a simple example illus- 
trating how the equalities extracted from a context T can be use to deduce new 
equalities in ^r- 
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[fa] — [Eq] M 

T, {cap (ui) = cap (u 2 ) | ui ~r "2} 1= cap (ti) = cap (i 2 ) 

[Ded] 

ti 12 

[Sym] [Trans] 

k,q[t) ~r Eq(w) 11 Wi t 2 u 2 

T ~ r U t ~ r ,[x:»T] u & ^ a 



Prod 



[Lam] 



V(z : b T).t~ r V(x: b C/).w 
T i ~r,[x:°Tl u ^ a 



[Elim-W] 



A[i T]* ~ r X[x U]u 

t ~ r u P ~ r Q t ~ r Mo t s ^ r u s 
Recjfti, P){t , t s } ~ r Rec^(u, Q){u , w s } 



Figure 3: Conversion relation 

r= [xyf : u nat], [/ : u nat -> nat], 

[P! : r t = 2],[p 2 : r /(:r + 3) = .T + 2], 

bs : r / (y + t) + 2 = y], [p 4 : r y + 1 = .t + 2] 

From pi and P4 (extracted from the context by [Eq]), [Ded] will deduce 
that y + t x + 3, and by congruence, / (y + t) / (x + 3). Therefore, 
7r^ r will abstract f(x + 3) and f(y + 1) by the same variable z, resulting in two 
new equations available for [Ded]: z = x + 2 and z + 2 = y. Now, z = x + 2, 
z + 2 = y and y + 1 = x + 2 form a set of unsatisfiable equations and we deduce 
^ r 1 by the Ded rule: contradiction has been obtained. This shows that we 
can easily carry out a proof by contradiction in T. 

More typable terms. We continue with a second example showing that the 
new calculus can type more terms than CIC. For the sake of this example we 
assume that the calculus is extended by dependent lists on natural numbers. 
We denote by list (of type nat — » *) the type of dependent lists and by nil 
(of type listO) and cons (of type V(n : nat). list n —> nat — ► list(Sn)) the 
lists constructors. We also add a weak recursor RecJ^ such that, given P : 
V(n : nat). list n —> *, lo : POnil and Is '■ V(n : nat)(Z : listn).PnZ — > V(x : 
nat).P(Sn) (consnii), then Rec^(l, P){/o, Is} has type Pnl for any list I of 
type list n. 

Assume now given a dependent reverse function (of type V(n : nat). listn — > 
listn) and the list concatenation function @ (of type V(nn' : nat), list n — > 
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listn' — * list (n + n')). We can simply express that a list I is a palindrome: I is 
a palindrome if reverse 1 = 1. 

Suppose now that one wants to prove that palindromes are closed under 
substitution of letters by palindromes. To make it easier, we will simply consider 
a particular case: the list h^hh is a palindrome if l\ and I2 are palindromes. 
The proof sketch is simple: it suffices to apply as many times as needed the 
lemma reverse(ZZ') = reverse(/')@ reverse(Z) (*). What can be quite surprising is 
that Lemma (*) is rejected by Coq. Indeed, if I and V are of length n and n' , it is 
easy to check that reverse^') is of type list (n + n 1 ) and reverse(Z') :: reverse(Z) 
of type list (n' + n) which are clearly not /^-convertible. This is not true in our 
system: n + n' will of course be convertible to n' + u and lemma (*) is therefore 
well-formed. Proving the more general property needs of course an additional 
induction on natural numbers to apply lemma (*) the appropriate number of 
times, which can of course be carried out in our system. 

Note that, although possible, writing a reverse function for dependent lists in 
Coq is not that simple. Indeed, a direct inductive definition of reverse will define 
reverse(cons n a I), of type list (1+n), as reverse(7) @ a, of type list (rt-j-1). Coq 
will reject such a definition since list (1 + n) and list (n + 1) are not convertible. 
Figure H shows how reverse can be defined in Coq. 



Coq < Definition reverse: forall (n: nat) , (list n) -> (list n) . 
Coq < assert (reverse_acc : forall (n m : nat) , 
Coq < list n -> list m -> list (m+n) ) . 

Coq < refine (fix reverse_acc (n m : nat) (from : list n) (to : list m) 

Coq < {struct from} : list (m+n) := _) . 

Coq < destruct from as [ I n' v rest ] . 

Coq < rewrite <- plus_n_0_transparent ; exact to . 

Coq < rewrite <- plus_n_Sm_transparent ; 

Coq < exact (reverse_acc n' (S m) rest (cons _ v to)) . 

Coq < intros n 1 . exact (reverse_acc _ _ 1 nil) . 
Coq < Defined . 



Figure 4: reverse function is Coq 



3 Metatheorical properties 

Most basic properties of Pure Type Systems (see [5]) are not too difficult. Those 
using substitution instances are more delicate. They rely on the annotations dec- 
orating the abstractions and products which were introduced for that purpose. 

3.1 Stability by substitution 

Assume that T is a typing environment of the form T\,[p : r a = b],T2 (a and 
b being two variables of type nat in T). The stability by substitution claims 
that if we have a typing derivation T h t : T, then we can substitute p by 
a term P (of type a = b under Ti) in this derivation and obtain a proof of 
ri, h t6 : TO, where 8 is the substitution {p 1— > P}. This property can easily 
be proved for Pure Type Systems as soon as the conversion relation is itself 



9 



stable by substitution. In our example one can easily check that a b, but 
a ~ri,r 2 b will not hold in general: the assumption a = b has been inlined and 
thus is no more extractable by the conversion relation. As a result, we need to 
strengthen the formulation of stability by substitution: 

Lemma 3.1. Let T = Ti, [z : a W],T 2 and assume that i) T ^ r T' , ii) if a = r 
and W — **a t\ = t 2 then t\ ~ri t 2 - Then, T9 T'6 where 6 — {z i— > w} and 

A = r u r 2 e 

Corollary 3.2 (Stability by substitution). Let T — Ti, [z : a W], T 2 and assume 
that i) T ~ r T' ii) if a = r andW h = t 2 then t x ~ Fl t 2 . Then, Ahtfl :Td 
where 9 = {z >— > w}, T± b w : W and A = ri,r2^. 

As usual, the substitutivity lemma is to be used in the proof of subject 
reduction (for — to come later. Because it requires a specific typing property 
for the equality assumptions annotated by r, we need to ensure this property in 
the application case of the coming subject reduction proof. This is indeed the 
origin of the similar condition arising in the typing rule [ App] . 

3.2 Conversion as rewriting 

We now turn conversion into a rewriting relation in order to prove that our 
system is logically consistent by analyzing a proof in normal form of V(x : u *). x. 
The notion of a normal proof is of course more complicated than in CIC, since 
we must account for the congruence associated with an arbitrary context 
r. The difficulty is that the set of equalities assumed in a given environment 
r together with the axioms of the theory T may be inconsistent, making all 
first-order terms equal in ~r which could break strong normalization of our 
rewriting relation. 

Definition 3.3 (T-consistent environment). A typing environment V is T- 
consistent if there exist two terms t,u G O s.t. ->{t u). 

Lemma 3.4. If T is T-consistent then ->(0 ~r St) for any term t. 

Definition 3.5 (Weak conversion). We inductively define a family of weak 
conversion relations {=r}r as the smallest congruent relation s.t. t =r u if 
T, Eq(r) N cap (£) = cap (u), where Eq(T) = {cap (u;i) = cap (w 2 ) | wi,w 2 £ 
O, [x : r wi = w 2 ] G T}. 

Definition 3.6. We inductively define a family {— >r}r of rewriting relations 
modulo weak- conversion as the smallest rewriting relations satisfying the rules 
of Figure [3 

The first rule shows that rewriting is modulo weak conversion in a consistent 
environment. The second equates all object terms when the environment is 
inconsistent, replacing them by the new constant •. The others are as expected. 

Lemma 3.7. 1. The rewriting relation — >r is confluent. 

2. If t ~r u then t u. 

3. If t <^>y u with • 1 and • ^ u then t ^ r u. 

4- IfT\~t:T with V T-consistent and t =r u, then Y b u : T. 
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r is T-consistent t =r t — >r u — r u 
[Rw-Mod] 



[Rw- 



t —T U 

r is T-inconsistent t € O t 5^ • 



i — > flt u f — >a u r — >g A 

[Rw-/3t] — [Rw-Fwd] — 

t — >r u t — >r u 

t - ) t,[x:«t] " & r< a 



[W-V] 



fW-Al 



V(a: : h T).t->r V(a: : fc T).u 

* ->r,[a;:°T] " & ^ Q 

A [a; : fc T].t-> r A [a; : ft T].u 



Figure 5: Conversion as a rewriting system 



Lemma 3.8. IfT\~t:T and t u with • $ u, then V h u : T. 

Proof. The proof is standard, by induction on the type derivation of the left- 
hand side. The interesting case is when a /^-reduction applies to the top of a 
term of the form (A [a; : a U]v) w and the typing rule is [App]: we then conclude 
by using Lemma 13.21 Note that the side condition of rule [App] provides us 
with the property needed for using Lemma 13.21 □ 

Lemma 3.9. The rewriting relation — +r is strongly normalizing for well formed 
terms. 

Proof. The proof is a direct application of proof irrelevance [3] , because ~r is 
a congruence generated by equalities between object terms, apart from beta- 
reduction. What makes this true is that Rec^ is a weak recursor, working at 
the object level. Including strong elimination rules invalidates this argument. 

□ □ 

We finally conclude that CCpj is consistent: 

Theorem 3.1. There is no proof of hi: V(x : u *•). x. 

Proof. Assume that h t : = S where t is — ►r-normal. Since = S is not 
convertible to a sort, t cannot be equal to nat, or a sort, or a product. Since 
t is necessarily closed, t is not a variable. Moreover, t cannot be of the form 
Rec^ (u, Q){to, ts} since t is closed and in — > t -normal form. 

If t is an application, it is necessarily of the form cu with c S {0, S, +, =}. 
By using inversion it suffices to check that in all these cases, t has a type T 
which is not convertible to = S 0. 

If t = Eq(u), then t has type u = u with u of type nat and u = u convertible 
to = S 0. Thus ~ D S 0, and T N = 1, which is impossible. □ □ 
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3.3 Decidability of type checking 
Theorem 3.2. Type checking o/CCn is decidable. 

Decidability of type checking needs two ingredients. First-of-all, eliminating 
[Conv] , which is non-structural, by incorporating it to [App] . This is classical, 
and it is easy to prove decidability of the transformed set of rules for type- 
checking, assuming is decidable. 

Deciding is more complex. We cannot use the rewrite system — >r for that 
purpose since the first two rules use the T-consistency of T as a prerequisite. 
We use instead a saturation based algorithm. The method resembles very much 
the one used for combining first-order decision procedures operating on disjoint 
alphabets [TTtlT]. Basic ingredients are: purification of formulas (here equations) 
by abstracting aliens by new variables; deriving new equalities among variables 
by using the appropriate decision procedure for pure formulas; propagating these 
new equalities to the other formulas. 

4 Conclusion and discussion 

CCn is an extension of CIC (restricted to the weak elimination rules of the 
inductive type nat) by a fragment of Presburger arithmetic (without the nat- 
ural strict order N) in which conversion incorporates Presburger arithmetic, 
/3-reduction and higher-order primitive recursion into a single mechanism. We 
now discuss in more details how this can be generalized to full CIC, how this 
can be used in practice, how useful that is, and whether the obtained kernel is 
trustable. 

Relevance. Our second example shows very clearly the expressivity of our 
calculus with respect to CIC. However, what is done here by a typing rule could 
be done alternatively in CIC by a tactic. Besides, if one wants to avoid building 
a proof term which can be quite large and slow down the type-checker, it is 
possible to prove the tactic and then use a reflexion mechanism in order to avoid 
type-checking the proof each time the tactic is called. In both cases, however, 
the user must call the tactic explicitly. In our approach, this is completely 
transparent, and would remain transparent in case of a succession of uses of 
the decision procedure separated by eliminations, since conversion incorporates 
both, or in case of different decision procedures called successively. 

Extension to CIC. Building decision procedures in a type-theoretic frame- 
work is not that easy. The main difficulty lies in the adequate definition of 
the congruence ~r- Once the definition is obtained, carrying out the technical 
development is not too difficult in the case of the pure Calculus of Construc- 
tions (the congruence becomes quite simpler in this case) , difficult in the present 
case of CCn (because of the presence of the weak recursors for nat), no more 
difficult when other decidable theories are introduced such as lists with their 
associated recursors, but much harder when including strong elimination rules 
which interact with the first-order theories. In this case, it is necessary to block 
the congruence below the strong recursor in order to avoid lifting an incoher- 
ence from the object level to the predicate level, which would immediately yield 
paradoxes [2"T] . 
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Annotations restriction One may wonder how annotations can be handled 
in practice. As seen, annotations are used to forbid Mining (when a /3-redex 
is contracted) of equational assumptions which are used by conversion. This 
could be seen as a restriction since our calculus, in order to avoid the creation 
of problematic /3-redexes, forbids in most cases applications of symbols of type 
V(p: r t = u).T. 

This restriction can be removed by using the notion of opaque definitions 
(as opposed to transparent definitions) of Coq which allows the user to define 
symbols that the system cannot inline. In most cases, definitions having a com- 
putational behavior (like +) are transparent whereas definitions representing 
lemmas (like the associativity of +) are opaque. This convention is used in the 
standard library of Coq. 

Returning to our previous example, if the user needs to prove a lemma of 
the form \/(p : r t = u).T, he or she should declare it as an opaque definition 
P := X[p : r t = u]q. The application of P to a term v should then be allowed: 
the term P v cannot reduce to q{p v}. Of course, if P is defined transparently, 
the application P v has to be forbidden. 

Moreover, this gives us a simple heuristic to automatically tag products and 
abstractions: r annotation should by used by default when the user is defining 
an opaque symbol, whereas u annotation should be used everywhere else. 

Arbitrary decision procedures. So far, we have considered only decidable 
equational theories. But it is well-known that a decidable theory can always 
be transformed into a decidable equational theory over the type Bool of truth 
values equipped with its usual operations. This is so because of the decidability 
assumption. 

Type levels equalities. One may wonder whether the conversion relation of 
CCn could use type level equalities (or hypotheses of the form P <-» Q). The 
answer seems to be negative: extracting type levels equalities breaks subject 
reduction and /3-strong normalization (see |16j). two properties needed for the 
decidability of our calculus. 

Trusting the kernel. Decision procedures require complex coding. It took a 
lot of time to get a correct tactic for Presburger arithmetic in Coq. Including 
a tactic into the kernel of the system is therefore unrealistic, unless it is itself 
proved correct with a trustable proof assistant. On the other hand, most decision 
procedures can provide a certificate that is quite compact and can be verified 
by a certificate- checker which is usually small, and easy to write and read, and 
is therefore a trustable piece of code. The reason is that the procedure searches 
for a proof while the certificate-checker verifies that the certificate is correct. A 
certificate checker looks indeed like a proof-checker. It is then easy to modify 
the conversion rule so as to output a certificate each time a decision procedure 
is used. The kernel of CCn should therefore include a certificate-checker for 
Presburger arithmetic. In case of CCIC with several decision procedures, the 
kernel would include one proof-checker for each decision procedure. Besides, the 
process is incremental: the procedures and the associated proof-checkers can be 
included one by one, because decision procedures for different inductive types 
operate on disjoint vocabularies, hence can be combined [T71 [Tj. 



13 



An implementation of CCIC has started and should be available soon as a 
prototype in a version without certificate generation and checking. 
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